GhostHook is a new attack technique which allows hackers to bypass kernel protections of Windows 10 PatchGuard and plant rootkits within systems. PatchGuard is a software tool that has been designed to forbid the kernel of 64-bit versions of Windows operating systems from being patched, preventing attackers from executing malicious code or running rootkits at the kernel level.
According to the researchers at CyberArk, GhostHook is neither an elevation nor an exploitation technique but a post-exploitation attack where the attacker has control over the compromised system. It provides the hacker with the ability to hook almost any piece of code running on the system.
How does GhostHook work?
The GhostHook target only those systems that running Intel PT (Processor Trace), which are designed to provide support in debugging operations and hunting malicious code.
The attacker makes use of a hacking exploit or malware first to compromise a target machine and then deploy GhostHook. Once compromised, the attacker can install a rootkit in the machine’s kernel, which would be completely undetectable to 3rd party anti-virus and security products and invisible to Microsoft’s PatchGuard itself.
Is there a patch for this?
CyberArk researchers believes that the GhostHook may be extremely difficult for Microsoft to patch, as the technique uses hardware to gain control of critical kernel structures. According to Microsoft, this technique involved hackers present on an already compromised system, it would not treat it as a security flaw.
“The engineering team has finished their analysis of this report and determined that it requires the attacker already be running kernel code on the system. As such, this doesn’t meet the bar for servicing in a security update however it may be addressed in a future version of Windows.” – Microsoft
Microsoft has not yet discovered a patch for this, but told that they may address in a future version of Windows.